3.3.1 NTLM v1 Authentication

The following pseudocode defines the details of the algorithms used to calculate the keys used in NTLM v1 authentication.

Note The LM and NTLM authentication versions are not negotiated by the protocol. It MUST be configured on both the client and the server prior to authentication. The NTOWF v1 function defined in this section is NTLM version-dependent and is used only by NTLM v1. The LMOWF v1 function defined in this section is also version-dependent and is used only by LM and NTLM v1.

The NT and LM response keys MUST be encoded using the following specific one-way functions where all strings are encoded as RPC_UNICODE_STRING ([MS-DTYP] section 2.3.10).

-- Explanation of message fields and variables:
-- ClientChallenge - The 8-byte challenge message generated by
the client.
-- LmChallengeResponse - The LM response to the server challenge.
Computed by the client.
-- NegFlg, User, UserDom - Defined in section 3.1.1.
-- NTChallengeResponse - The NT response to the server challenge.
Computed by the client.
-- Passwd - Password of the user. If the password is longer than
14 characters, then the LMOWF v1 cannot be computed. For LMOWF
v1, if the password is shorter than 14 characters, it is padded
by appending zeroes.
-- ResponseKeyNT - Temporary variable to hold the results of
calling NTOWF().
-- ResponseKeyLM - Temporary variable to hold the results of
calling LMGETKEY.
-- CHALLENGE_MESSAGE.ServerChallenge - The 8-byte challenge message
generated by the server.
--
-- Functions Used:
-- Z(M)- Defined in section 6.

Set ResponseKeyNT to NTOWFv1(Passwd, User, UserDom)
Set ResponseKeyLM to LMOWFv1( Passwd, User, UserDom )
Define ComputeResponse(NegFlg, ResponseKeyNT, ResponseKeyLM,
CHALLENGE_MESSAGE.ServerChallenge, ClientChallenge, Time, ServerName)
As
If (User is set to "" AND Passwd is set to "")
-- Special case for anonymous authentication
Set NtChallengeResponseLen to 0
Set NtChallengeResponseMaxLen to 0
Set NtChallengeResponseBufferOffset to 0
Set LmChallengeResponse to Z(1)
ElseIf
If (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag is set in NegFlg)
Set NtChallengeResponse to DESL(ResponseKeyNT,
MD5(ConcatenationOf(CHALLENGE_MESSAGE.ServerChallenge,
ClientChallenge))[0..7])
Set LmChallengeResponse to ConcatenationOf{ClientChallenge,
Z(16)}
Else
Set NtChallengeResponse to DESL(ResponseKeyNT,
CHALLENGE_MESSAGE.ServerChallenge)
If (NoLMResponseNTLMv1 is TRUE)
Set LmChallengeResponse to NtChallengeResponse
Else
Set LmChallengeResponse to DESL(ResponseKeyLM,
CHALLENGE_MESSAGE.ServerChallenge)
EndIf
EndIf
EndIf

Set SessionBaseKey to MD4(NTOWF)

On the server, if the user account to be authenticated is hosted in Active Directory, the challenge-response pair MUST be sent to the DC to verify ([MS-APDS] section 3.1.5).

The DC calculates the expected value of the response using the NTOWF v1 and/or LMOWF v1, and matches it against the response provided. If the response values match, it MUST send back the SessionBaseKey; otherwise, it MUST return an error to the calling application. The server MUST return an error to the calling application if the DC returns an error. If the DC returns STATUS_NTLM_BLOCKED, then the server MUST return STATUS_NOT_SUPPORTED.

If the user account to be authenticated is hosted locally on the server, the server calculates the expected value of the response using the NTOWF v1 and/or LMOWF v1 stored locally, and matches it against the response provided. If the response values match, it MUST calculate KeyExchangeKey; otherwise, it MUST return an error to the calling application.<72>

Show:
Inherited
Protected

Was this page helpful?

Your feedback about this content is important.Let us know what you think.